Certificates for Cloud Management Gateway

CMG Server Authentication Certificate

     (This certificate is required in all scenarios)

Server authentication certificate is used to build a secure HTTPS channel between Azure and SCCM Server. You can get this certificate from a Public Certificate Provider or from your internal Public Key Infrastructure.

The certificate requires global unique common name as same name will be used to create CMG Cloud Service Name and Storage Account Name in Azure. I want to have my CMG Service Name as “ginucmg.cloudapp.net”. Let’s confirm whether it is available in Azure or not.

Verify CMG Service Name Availability in Azure

• Login to the Azure Portal.
• Select All resources and then select Add.
• Search for Cloud service. Select Create.
• In the DNS name field, type the Service Name you want like “ginucmg”. It will verify whether it is available or already in use by another service. Green Tick indicates it is available and Red X indicates already in use so try a different name.

Note: There is no need to create any services in Azure Portal for CMG. Here we are just checking the service name availability. SCCM will automatically create these services in Azure when CMG is deployed.

• Repeat the above steps to verify CMG Service Name is also unique Storage Account Name, if you want to enable Cloud Distribution Point with CMG.
• Search for Storage account
• Test your name in the Storage account name field

In case you want to use a certificate issued by Third Party Certificate Provider then you won’t be able to use CloudApp.net domain as it is owned by Microsoft. You need to get the certificate issued by your domain name. Example “ginucmg.ginutausif.com”. You’re also required to create a CNAME record in your public DNS entry.

Create a canonical name record (CNAME) in your organization’s public DNS. This record creates an alias for the CMG to a friendly name that you use in the public certificate.

For example: XYZ Company names their CMG “sccmcmg”. This name becomes sccmcmg.CloudApp.Net in Azure. In XYZ’s public DNS abc.com namespace, the DNS administrator creates a new CNAME record for sccmcmg.abc.com for the real host name, sccmcmg.CloudApp.net.

In this article, we will be using internal PKI for issuing certificates so let’s start with CMG Service Authentication Certificate.

Steps to Issue and Request CMG Service Authentication Certificate

• Login to AD CS Server.
• Click Start -> Run. Type-in mmc and click Ok.
• Click File -> Add/Remove Snap-In,
• Now add Certificate Templates & Certification Authority (Local) snap-ins.

• Under Certificate Template, right click on Web Server and click on Duplicate Template.

• In the Duplicate Template dialog box, ensure that Windows 2003 Server Enterprise Edition is selected and choose OK.
• On General tab, enter Template Display Name.

• Under Security Tab, add your ConfigMgr servers Security group that has SCCM Server where we will request this certificate. Select the Enroll permission for this group, and do not clear the Read permission and then remove the Enroll permission from the Enterprise Admins security group.

• On Request Handling, select “Allow Private Key to be exported”

• On Cryptography tab, make sure “Minimum Key Size” is 2048-bit or 4096-bit key length. Click Ok to close the template.

• Now let’s issue this certificate. Under Certification Authority (Local) tab, Right Click Certificate Template -> New -> Certificate Template to Issue.

• Select the Certificate Template we created above and click OK.

• Now let’s go to back to our SCCM Server and request the CMG Server Authentication Certificate.
• Click Start -> Run. Type-in mmc and click Ok.
• Click File -> Add/Remove Snap-In, Now add Certificate snap-ins.
• Right under Certificates tab -> All Tasks -> Request New Certificate

• Click Next on both Certificate Enrollment Pages.
• Click on “More information is required to enroll for this certificate. Click here to configure settings” under CMG Server Authentication Certificate.

• On Certificate Properties, in the Subject tab for the Subject name, choose Common name as the Type.

         In the Value box, specify the FQDN CMG Service Name that we validated above in Azure “ginucmg.cloudapp.net”.

         Click on Add and then choose OK to close the Certificate Properties dialog box.

• If you want to use your own public domain, add the common name like “ginucmg.ginutausif.com” instead of .cloudapp.net in this step.

         In that case, don’t forget to create a DNS alias. Refer to the process above for creating a DNS alias in your organization’s public DNS.

• Select Cloud Management Gateway Certificate. Click on Enroll.

• Click Finish on next page once the enrollment is completed.

Exporting CMG Server Authentication Certificate: We need to supply this certificate in SCCM console while deploying Cloud Management Gateway so we need to export it.

• Click Start -> Run. Type-in mmc and click Ok.
• Click File -> Add/Remove Snap-In,
• In the Add or Remove Snap-ins, select Certificates, then select Add.
• In the Certificates snap-in, select Computer account, then select Next.
• In the Select Computer, select Local computer, then select Finish.
• In the Add or Remove Snap-ins, select OK.
• Expand Certificates -> expand Personal and select Certificates.
• Right Click CMG Server Authentication Certificate -> All Tasks -> Export.

• Click Next on “Welcome to the Certificate Export Wizard”.
• Select “Yes, export the private key”.
• Select “Personal Information Exchange – PKCS #12 (.PFX)” format and keep default selected check boxes.
• Enter Password on Next.
• Specify a location to export certificate. Click Finish.

CMG trusted root certificate to clients

        (This certificate is required in all scenarios)

SCCM Clients must trust the CMG server authentication certificate created above. There are two methods to accomplish this trust:

• Use a certificate from a public and globally trusted certificate provider. For example, but not limited to DigiCert, Thawte, or VeriSign. Windows clients include trusted root certificate authorities (CAs) from these providers. By using a server authentication certificate issued by one of these providers, your clients automatically trust it.

• Use a certificate issued by an enterprise CA from your public key infrastructure (PKI). Most enterprise PKI implementations add the trusted root CAs to Windows clients. For example, using Active Directory Certificate Services with group policy. If you issue the CMG server authentication certificate from a CA that your clients don’t automatically trust, add the CA trusted root certificate to internet-based clients.

Client Authentication Certificate

This certificate is required for internet-based clients running on Windows 8.1 and Windows 10 devices which are not joined to Azure Active Directory. The clients use this certificate to authenticate with the CMG. Windows 10 devices that are hybrid or cloud domain-joined don’t require this certificate because they use Azure AD to authenticate.

It is also required on the server where CMG connection point role is installed to securely forward client requests to the server authentication certificate on the HTTPS management point. If clients use Azure AD authentication or you configure the management point for Enhanced HTTP, this certificate isn’t required.

In order to create and deploy Client Authentication Certificate in the estate, you can refer to my blog “Move ConfigMgr Site to HTTPS Communication” as it is part of SCCM PKI Setup Management.

Client trusted root certificate to CMG

This certificate is required when using above client authentication certificates for internet-based clients.

You supply this certificate when creating the CMG in the Configuration Manager console. The CMG must trust the client authentication certificates. To accomplish this trust, provide the trusted root certificate chain. Make sure to add all certificates in the trust chain.

For example, if the client authentication certificate is issued by an intermediate CA, add both the intermediate and root CA certificates. In version 1902 and earlier, you can only add two trusted root CAs and four intermediate (subordinate) CAs.

When all clients use Azure AD for authentication, this certificate isn’t required.

Exporting Client Trusted Root Certificate for CMG: After issuing a client authentication certificate to a computer, use below steps on that computer to export the trusted root so that it can be added later in CMG configuration wizard.

• Click Start -> Run. Type-in mmc and click Ok.
• Click File -> Add/Remove Snap-In,
• In the Add or Remove Snap-ins, select Certificates, then select Add.
• In the Certificates snap-in, select Computer account, then select Next.
• In the Select Computer, select Local computer, then select Finish.
• In the Add or Remove Snap-ins, select OK.
• Expand Certificates -> expand Personal and select Certificates.
• Select the SCCM Client Authentication Certificate and double click to open it.

• Go to the Certification Path tab.
• Select the next certificate up the chain and select View Certificate.

• On this new Certificate dialog box, go to the Details tab. Select Copy to File….
• Complete the Certificate Export Wizard using the default certificate format, DER encoded binary X.509 (.CER). Make note of the name and location of the exported certificate.
• Export all the certificates in the certification path of the original client authentication certificate. Make note of which exported certificates are intermediate CAs, and which ones are trusted root CAs.

Now we have both CMG Server Authentication and Client Trusted Root Certificate exported in one place   so that it can added during CMG configuration.

Certificate for HTTPS Management Point

To configure Management Point on HTTPS, we need a separate Web Server Certificate. You can refer to below blog “Move ConfigMgr Site to HTTPS Communication” for deploying web server certificate and switching MP on HTTPS.

If you have multiple management points in your environment, there is no need to HTTPS-enable them all for CMG. Configure only those management points which will cater internet-based clients.

However, beginning with SCCM version 1806, a new feature was introduced known as Enhanced HTTPS. It eliminates the requirement to configure Management Point on HTTPS using a web server certificate issued from AD CS.

When you enable Enhanced HTTP, the site server generates a self-signed certificate named SMS Role SSL Certificate issued by the root SMS Issuing certificate. The management point adds this certificate to the IIS Default Web site bound to port 443.

Azure Management Certificate

This certificate is required for CMG classic service deployments. It’s not required for Azure Resource Manager deployments. Starting in version 1810, classic service deployments in Azure are deprecated in Configuration Manager

Also Starting with Configuration Manager Version 1902, Azure Resource Manager is the only deployment mechanism for new instances of the cloud management gateway. This certificate isn’t required in Configuration Manager Version 1902 or later.

That’s all from the CMG Certificate perspective. Once certificates are ready you can refer to the blog “Deploy SCCM Cloud Management Gateway” for deploying CMG in SCCM.